Hack A Facebook Account With ARP Poisoning

This article is a revised and a more advanced version of what we learned in the post "Facebook Cookie Stealing And Session Hijacking", before i get started, i would like to share that i have just passed my CCNP route examination with 95.3 percent and i am preparing for my CCNP switch examination therefore i would not be able to post for a while, however our Cheif Editor "Dr Sindhiya Junjeo" will continue to update you with latest hacking news until i return. So Let's get back to the tutorial.

Acknowledged By Adobe Security Team

About three months back I reported an XSS (Cross Site Scripting) vulnerability in Adobe, Recently i came to know that Adobe has finally managed to fix the vulnerability after three long months. XSS for those of you who don't know is a web application vulnerability which enables the attacker to inject your own javascript inside the webapplication. XSS, at times can become so dangerous that it could enable an attacker to compromise your entire computer system apart from stealing your cookies and redirecting you to phishing pages.

Automatically Bypass XSS Filter With Snuck

Snuck is a Selenium based automated tool programmed, which is different from typical web security scanners, to help discovered XSS vulnerabilities in web applications. It's approach is related to the inspection of the injection's reflection context, specialising them in order to increase the success rate of breaking a given XSS filter. The attack vectors are chosen on the basis of the reflection context (the pinpointed location where the injection falls in the reflection web page's DOM). This is possible through Selenium web driver that allows to duplicate operations in web browsers. It requires an XML configuration file to be filled in order to make snuck a wiz at what it needs to do with respect to the test web application. It supports Mozilla Firefox, Google Chrome and Internet Explorer and the XSS testing in performed on a real web browser to mirror the attacker's and (possibly) the victim's behaviour.

What Is Project Tyler? Anonymous Reveals

Wikileaks is known worldwide for providing a common man with many delicate information about his/her country’s government. It had caused several troubles in the past compromising scandalous information. Being inspired by it, the anonymous group had decided to do create a similar portal to slip out information regarding sensitive matters to the public without any censorship. They are naming this project as “Tyler”.

Ethical Hacking Vs Penetration Testing

Recently a reader posted a comment on our previous post "jSQL Injection - Java GUI for Database Injection.", where he asked about the difference between Ethical hacking And Penetration testing, As i said in the reply of that comment that it has been highly debatable topic among security researchers and hackers. According to some people "Hacking" cannot be Ethical in any way and lots of people do not like to associate the term "Ethical hacker" with them. According to some people both of them have same meaning and the term "hacker" is used to attract people for their courses and training programs.

jSQL Injection - Java GUI for Database Injection.

jSQL is an easy-to-use SQL injection tool that enables the user to retrieve database informations from a distant server.

HSBC Recovers from the DDoS Attack, Anonymous Claims to Have 20,000 Debit Card Details.

Many HSBC customers were unable to log in to their internet banking accounts on Thursday, 18th of October. It has been stated that the problem started a little before 20:00 BST and lasted for around seven hours.

Fake Android App - Does Your Android Do More Than It Should?

Android's security has been breached, people! Stand down, stand down - this is a matter of personal security! And its asking you to say Hello to the new Lookout??@#$#!!

Hands Up - This is a PC-jacking! The Wonders of Steam Browser Protocol Vulnerability.

 For our readers who are unaware of the wonder that is 'Steam', here's a small description of how it influences our life. Steam is a digital distribution and digital rights management platform for games and various other softwares and can run on Windows, MacOS X and Linux. The company, Valve Corporation, that owns it says that Steam offers over 2,000 titles and has more than 40 million active user accounts.

Advance Phishing Attacks Via HTML5 Fullscreen API

We realise that its human nature to take advantage of inventions and innovations without having the slightest hint of the name of the developer/inventor him/herself. Ah, how cruel is our mind for playing tricks on us in the most desperate of times.

Talking about hidden and unknown developers, we must mention one man in particular - Feross Aboukhadijeh, who happens to be the developer of the YouTube Instant Search Engine. Aboukhadijeh is an independent security researcher, web designer and Standford Computer Science student who has recently become the talk-of-the-town for his achievement in developing a phishing attack concept. The concept exploits HTML5's vulnerability that exists in the fullscreen application programming interface.

Which spyware keylogger software to choose?

I continue the series of providing you with information of best spware keylogger softwares availible online.In this post i will tell you about all the best spyware products availible for various purposes.Today there exists many of spyware keylogger softwares because a lot of people want to monitor the activities of their children, spouse, friends etc.Most of people try to find thier crack version or serial key and end them self in infecting their PC  with Viruses.Most of people are confused with selection b/w Spyware keylogger software,so today the Title of my post is "Which spyware keylogger software to choose?"

StumbleUpon Fixes The XSS Vulnerability

About a week before i reported an XSS vulnerability inside stumbleupon, I promised to disclose the vulnerability details once it gets fixed, Recently i received an email from stumbleUpon. They told that they have fixed the XSS vulnerability and they would like me to test it again if it's still vulnerable to the Cross site Scritping (XSS) attack. I tested the parameter and did not find any potential XSS inside it. Here is the email i received from stumbleUpon:

Yandex Bug Bounty Program - Is It Worth The Time?

Yandex also has a bug bounty program which pays a reasonable amount to security researchers who find security vulnerabilities inside their website, Recently i found multiple XSS vulnerabilities in a subdomain of yandex, The company accepted it as a vulnerability, but unfortunately i did not qualify for a bounty as the vulnerability was already reported by some one else.

StumbleUpon XSS Vulnerability


Update: StumbleUpon has fixed the XSS vulnerability, You can read more about it in my blog post "StumbleUpon Fixes The XSS"

Recently i wrote a post on "Detecting Cross Site Scripting Attacks XSS With Fiddler", In that post i explained how fiddler can be helpful in detecting Persistent and Non Persistent Cross site scripting vulnerabilities inside a webapplication, though it generates many false positives, however still it's a very useful piece of tool.

Detecting Cross Site Scripting XSS Vulnerabilities With Fiddler

For those of you who have either subscribed to my Facebook profile or RHA's Facebook fan page, you might know that i have been on a mission to discover XSS on high profile websites, I have found XSS in high profile websites like Microsoft, ebay, apple, adobe, stumbleupon etc, Lots of people ask me the regarding the methodology i use in order to detect Cross site scripting vulnerabilities (XSS).

Well, honestly speaking i don't use a single tool or a single strategy in order to detect/exploit xss, My strategy involves combination of Google dorks, Automatic dork scanners and multiple free/commerical scanners in order to detect/verify/exploit the vulnerability. However, if you are targeting a high profile website, you won't find an XSS in the homepage. You need to look and discover the places where few people are searching. Your chances of detecting XSS would be really high.
Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.